Architecture: Tech Stack
Firezone has a unique mix of data throughput, reliability, and scability requirements. So we made sure to pick the right tools for the job. Here's a high-level overview of the tech stack choices we made and why.
Control plane
The control plane, which includes the admin portal, control plane API, and Policy Engine, is built using Elixir and Phoenix.
Elixir is a functional programming language that's received lots of attention in recent years for its performance and concurrency properties.
It's built on top of the Erlang VM, which has a reputation for being fault-tolerant and highly concurrent. Erlang continues to power some of the world's most reliable systems, including a wide variety of telecom equipment and messaging platforms like WhatsApp.
Together, these technologies power Firezone's realtime control plane API, allowing it to reliably handle thousands of policy decisions per second.
Data plane
The data plane, which includes the Clients, Gateway, and Relay, is built using Rust.
Rust is a systems programming language that's known for its performance and safety. Not only do its memory safety guarantees prevent entire categories of security vulnerabilities, but it also has an outstanding ecosystem of libraries and tools that make it a great choice for building performant network applications.
Client architecture
Some parts of the macOS, iOS, and Android applications can't be built in Rust, and so a foreign function interface (FFI) is used to call into either Swift or Kotlin code appropriately. In general, we strive to keep the FFI architecture as simple as possible, leaving Rust-land only when absolutely required.
Internally, the Clients maintain two primary types of state:
- Control plane event loop
- Data plane state machine
These manage the control path and hot paths of the Client, respectively. They interact through a thin software layer to exchange WireGuard keys and STUN information between the control plane API and the TUN interface.
For a deep dive into Firezone's data plane architecture and its sans-IO design, we recommend reading sans-IO: The secret to effective Rust for network services.
Here's a high-level diagram of the various software components used in the Client applications:
The separation between control plane and data plane state serves two functions:
- It ensures that control plane messages do not slow down or otherwise block the data plane processing loop.
- It allows the Client to withstand temporary network partitions from the control plane API without dropping data plane packets. This means, for example, existing connections to Resources continue to operate uninterrupted even as we deploy new versions of the control plane API.
Ops and infrastructure
Firezone uses the following tools for ops and infrastructure:
| Category | Tool/Service |
|---|---|
| Cloud provider: Control plane | Google Cloud Platform |
| Cloud provider: Relays | Microsoft Azure |
| Source code management | GitHub |
| CI/CD | GitHub Actions |
| Monitoring and alerting | Sentry |
| Logging | Sentry |
| Persistence store | Google Cloud SQL (PostgreSQL) |
| Infrastructure as code | Terraform |
Regional availability
Firezone Relays are deployed globally to ensure low-latency fallback paths for cases where direct peer-to-peer connections aren't possible. Relays are deployed in the following Azure regions:
| City | Region |
|---|---|
| Auckland | New Zealand North |
| Dubai | UAE North |
| Doha | Qatar Central |
| Frankfurt | Germany West Central |
| Gävle | Sweden Central |
| Hong Kong | East Asia |
| Illinois | North Central US |
| Iowa | Central US |
| Ireland | North Europe |
| Jakarta | Indonesia Central |
| Johannesburg | South Africa North |
| Kuala Lumpur | Malaysia West |
| London | UK South |
| Madrid | Spain Central |
| Milan | Italy North |
| Oslo | Norway East |
| Paris | France Central |
| Phoenix | West US 3 |
| Pune | Central India |
| Querétaro | Mexico Central |
| Santiago | Chile Central |
| São Paulo | Brazil South |
| Seoul | Korea Central |
| Singapore | Southeast Asia |
| Sydney | Australia East |
| Tel Aviv | Israel Central |
| Tokyo | Japan East |
| Toronto | Canada Central |
| Virginia | East US |
| Virginia | East US 2 |
| Warsaw | Poland Central |
| Washington | West US 2 |
| Zurich | Switzerland North |
Regional availability map
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.